RPC Interface Buffer Overflow (7.17.03)

This page shows details and results of our analysis on the malware RPC Interface Buffer Overflow (7.17.03)

Download Current DAT

Threat Detail

Malware Type: Vulnerability

Malware Sub-type: Microsoft

Discovery Date: 2003-07-17

Next Steps:

Overview
Characteristics
Symptoms
Removal

Overview

Minimum DAT

Updated DAT

Minimum Engine

5400.1158

File Length

N/A

Description Added

2003-07-18

Description Modified

2003-07-30

Malware Proliferation

Characteristics

This is not a virus or trojan. It is a Microsoft product vulnerability that could be used by an attacker to gain unauthorized system access.

Microsoft has published an advisory regarding buffer overflow vulnerability present in the windows RPC Service. The RPC service provides remote procedure calls between objects executing on two remote machines running the Windows operating system.

SCOPE
An attacker can exploit this vulnerability by crafting a specifically malformed RPC packet and sending it to a vulnerable server. The attacker will need access to the vulnerable server RPC interface that is located at port 135.

A malicious attacker may use this vulnerability to execute code of his choice on the victim machine. Since the RPC service executes with SYSTEM privileges an attacker executing code as the result of this attack can fully compromise the vulnerable server

Entercept provides patented protection against code execution as a result of buffer overflows and prevents the exploitation of the RPC Interface buffer overflow vulnerability.

VERSIONS AFFECTED
Windows NT 4.0 - All service packs
Windows 2000 - All service packs

RECOMMENDATIONS
In order to best counter this threat, Entercept suggests following its recommended Security Best Practices, including:

1. Apply the MS03-039 patch (includes MS03-026 patch) Please refer to:

Microsoft Security Bulletin MS03-026 for more information: http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS03-026.asp
Microsoft Security Bulletin MS03-039 for more information: http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS03-039.asp

2. Block port 135 when RPC service is not required

3. Deploy Entercept Standard Edition on all critical servers.

Sniffer Customers: Download a Sniffer filter to detect known RPC Interface Buffer Overflow (7.17.03) exploit traffic (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Symptoms

N/A This is not a virus or trojan.

Method of Infection

Removal

About Entercept Security Technologies
Entercept Security Technologies is the proven leader in intrusion prevention software. Based on patented technology, Entercept safeguards the entire server by preventing known and unknown malicious attacks. Unlike other security solutions, Entercept uses a combination of behavioral rules and signatures to proactively prevent attacks rather than merely detecting and reporting them after they occur. Strategic partners include Check Point, Foundstone and other leading companies. Entercept has received numerous awards and industry recognition, including Network Magazine's 2001 Product of the Year, Fortune Small Business Magazine's '65 Big Ideas List', SC Magazine's 'Best Pick of the Year 2000 and 2001', InfoWorld magazine's 'Business Impact of the Year Award', and InfoWorld magazine's Readers Choice 'Security Product of the Year'. www.entercept.com

The information provided is identified, assessed and measured by the Entercept Ricochet security research team, a leading group of security experts dedicated to collecting and evaluating intelligence against server threats.